Documentation ¶
Index ¶
- func CfnResourcePolicy_CFN_RESOURCE_TYPE_NAME() *string
- func CfnResourcePolicy_IsCfnElement(x interface{}) *bool
- func CfnResourcePolicy_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnResourcePolicy_IsConstruct(x interface{}) *bool
- func CfnRotationSchedule_CFN_RESOURCE_TYPE_NAME() *string
- func CfnRotationSchedule_IsCfnElement(x interface{}) *bool
- func CfnRotationSchedule_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnRotationSchedule_IsConstruct(x interface{}) *bool
- func CfnSecretTargetAttachment_CFN_RESOURCE_TYPE_NAME() *string
- func CfnSecretTargetAttachment_IsCfnElement(x interface{}) *bool
- func CfnSecretTargetAttachment_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnSecretTargetAttachment_IsConstruct(x interface{}) *bool
- func CfnSecret_CFN_RESOURCE_TYPE_NAME() *string
- func CfnSecret_IsCfnElement(x interface{}) *bool
- func CfnSecret_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnSecret_IsConstruct(x interface{}) *bool
- func NewCfnResourcePolicy_Override(c CfnResourcePolicy, scope constructs.Construct, id *string, ...)
- func NewCfnRotationSchedule_Override(c CfnRotationSchedule, scope constructs.Construct, id *string, ...)
- func NewCfnSecretTargetAttachment_Override(c CfnSecretTargetAttachment, scope constructs.Construct, id *string, ...)
- func NewCfnSecret_Override(c CfnSecret, scope constructs.Construct, id *string, props *CfnSecretProps)
- func NewResourcePolicy_Override(r ResourcePolicy, scope constructs.Construct, id *string, ...)
- func NewRotationSchedule_Override(r RotationSchedule, scope constructs.Construct, id *string, ...)
- func NewSecretRotationApplication_Override(s SecretRotationApplication, applicationId *string, semanticVersion *string, ...)
- func NewSecretRotation_Override(s SecretRotation, scope constructs.Construct, id *string, ...)
- func NewSecretTargetAttachment_Override(s SecretTargetAttachment, scope constructs.Construct, id *string, ...)
- func NewSecret_Override(s Secret, scope constructs.Construct, id *string, props *SecretProps)
- func ResourcePolicy_IsConstruct(x interface{}) *bool
- func ResourcePolicy_IsResource(construct constructs.IConstruct) *bool
- func RotationSchedule_IsConstruct(x interface{}) *bool
- func RotationSchedule_IsResource(construct constructs.IConstruct) *bool
- func SecretRotation_IsConstruct(x interface{}) *bool
- func SecretTargetAttachment_IsConstruct(x interface{}) *bool
- func SecretTargetAttachment_IsResource(construct constructs.IConstruct) *bool
- func Secret_IsConstruct(x interface{}) *bool
- func Secret_IsResource(construct constructs.IConstruct) *bool
- type AttachedSecretOptions
- type AttachmentTargetType
- type CfnResourcePolicy
- type CfnResourcePolicyProps
- type CfnRotationSchedule
- type CfnRotationScheduleProps
- type CfnRotationSchedule_HostedRotationLambdaProperty
- type CfnRotationSchedule_RotationRulesProperty
- type CfnSecret
- type CfnSecretProps
- type CfnSecretTargetAttachment
- type CfnSecretTargetAttachmentProps
- type CfnSecret_GenerateSecretStringProperty
- type CfnSecret_ReplicaRegionProperty
- type HostedRotation
- func HostedRotation_MariaDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_MariaDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_MongoDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_MongoDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_MysqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_MysqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_OracleMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_OracleSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_PostgreSqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_PostgreSqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_RedshiftMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_RedshiftSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_SqlServerMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_SqlServerSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- type HostedRotationType
- func HostedRotationType_MARIADB_MULTI_USER() HostedRotationType
- func HostedRotationType_MARIADB_SINGLE_USER() HostedRotationType
- func HostedRotationType_MONGODB_MULTI_USER() HostedRotationType
- func HostedRotationType_MONGODB_SINGLE_USER() HostedRotationType
- func HostedRotationType_MYSQL_MULTI_USER() HostedRotationType
- func HostedRotationType_MYSQL_SINGLE_USER() HostedRotationType
- func HostedRotationType_ORACLE_MULTI_USER() HostedRotationType
- func HostedRotationType_ORACLE_SINGLE_USER() HostedRotationType
- func HostedRotationType_POSTGRESQL_MULTI_USER() HostedRotationType
- func HostedRotationType_POSTGRESQL_SINGLE_USER() HostedRotationType
- func HostedRotationType_REDSHIFT_MULTI_USER() HostedRotationType
- func HostedRotationType_REDSHIFT_SINGLE_USER() HostedRotationType
- func HostedRotationType_SQLSERVER_MULTI_USER() HostedRotationType
- func HostedRotationType_SQLSERVER_SINGLE_USER() HostedRotationType
- type ISecret
- func Secret_FromSecretAttributes(scope constructs.Construct, id *string, attrs *SecretAttributes) ISecret
- func Secret_FromSecretCompleteArn(scope constructs.Construct, id *string, secretCompleteArn *string) ISecret
- func Secret_FromSecretNameV2(scope constructs.Construct, id *string, secretName *string) ISecret
- func Secret_FromSecretPartialArn(scope constructs.Construct, id *string, secretPartialArn *string) ISecret
- type ISecretAttachmentTarget
- type ISecretTargetAttachment
- type MultiUserHostedRotationOptions
- type ReplicaRegion
- type ResourcePolicy
- type ResourcePolicyProps
- type RotationSchedule
- type RotationScheduleOptions
- type RotationScheduleProps
- type Secret
- type SecretAttachmentTargetProps
- type SecretAttributes
- type SecretProps
- type SecretRotation
- type SecretRotationApplication
- func NewSecretRotationApplication(applicationId *string, semanticVersion *string, ...) SecretRotationApplication
- func SecretRotationApplication_MARIADB_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_MARIADB_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_MONGODB_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_MONGODB_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_MYSQL_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_MYSQL_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_ORACLE_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_ORACLE_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_POSTGRES_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_POSTGRES_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_REDSHIFT_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_REDSHIFT_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_SQLSERVER_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_SQLSERVER_ROTATION_SINGLE_USER() SecretRotationApplication
- type SecretRotationApplicationOptions
- type SecretRotationProps
- type SecretStringGenerator
- type SecretStringValueBeta1
- type SecretTargetAttachment
- type SecretTargetAttachmentProps
- type SingleUserHostedRotationOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CfnResourcePolicy_CFN_RESOURCE_TYPE_NAME ¶
func CfnResourcePolicy_CFN_RESOURCE_TYPE_NAME() *string
func CfnResourcePolicy_IsCfnElement ¶
func CfnResourcePolicy_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnResourcePolicy_IsCfnResource ¶
func CfnResourcePolicy_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnResourcePolicy_IsConstruct ¶
func CfnResourcePolicy_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnRotationSchedule_CFN_RESOURCE_TYPE_NAME ¶
func CfnRotationSchedule_CFN_RESOURCE_TYPE_NAME() *string
func CfnRotationSchedule_IsCfnElement ¶
func CfnRotationSchedule_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnRotationSchedule_IsCfnResource ¶
func CfnRotationSchedule_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnRotationSchedule_IsConstruct ¶
func CfnRotationSchedule_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnSecretTargetAttachment_CFN_RESOURCE_TYPE_NAME ¶
func CfnSecretTargetAttachment_CFN_RESOURCE_TYPE_NAME() *string
func CfnSecretTargetAttachment_IsCfnElement ¶
func CfnSecretTargetAttachment_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnSecretTargetAttachment_IsCfnResource ¶
func CfnSecretTargetAttachment_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnSecretTargetAttachment_IsConstruct ¶
func CfnSecretTargetAttachment_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnSecret_CFN_RESOURCE_TYPE_NAME ¶
func CfnSecret_CFN_RESOURCE_TYPE_NAME() *string
func CfnSecret_IsCfnElement ¶
func CfnSecret_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnSecret_IsCfnResource ¶
func CfnSecret_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnSecret_IsConstruct ¶
func CfnSecret_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func NewCfnResourcePolicy_Override ¶
func NewCfnResourcePolicy_Override(c CfnResourcePolicy, scope constructs.Construct, id *string, props *CfnResourcePolicyProps)
Create a new `AWS::SecretsManager::ResourcePolicy`.
func NewCfnRotationSchedule_Override ¶
func NewCfnRotationSchedule_Override(c CfnRotationSchedule, scope constructs.Construct, id *string, props *CfnRotationScheduleProps)
Create a new `AWS::SecretsManager::RotationSchedule`.
func NewCfnSecretTargetAttachment_Override ¶
func NewCfnSecretTargetAttachment_Override(c CfnSecretTargetAttachment, scope constructs.Construct, id *string, props *CfnSecretTargetAttachmentProps)
Create a new `AWS::SecretsManager::SecretTargetAttachment`.
func NewCfnSecret_Override ¶
func NewCfnSecret_Override(c CfnSecret, scope constructs.Construct, id *string, props *CfnSecretProps)
Create a new `AWS::SecretsManager::Secret`.
func NewResourcePolicy_Override ¶
func NewResourcePolicy_Override(r ResourcePolicy, scope constructs.Construct, id *string, props *ResourcePolicyProps)
func NewRotationSchedule_Override ¶
func NewRotationSchedule_Override(r RotationSchedule, scope constructs.Construct, id *string, props *RotationScheduleProps)
func NewSecretRotationApplication_Override ¶
func NewSecretRotationApplication_Override(s SecretRotationApplication, applicationId *string, semanticVersion *string, options *SecretRotationApplicationOptions)
func NewSecretRotation_Override ¶
func NewSecretRotation_Override(s SecretRotation, scope constructs.Construct, id *string, props *SecretRotationProps)
func NewSecretTargetAttachment_Override ¶
func NewSecretTargetAttachment_Override(s SecretTargetAttachment, scope constructs.Construct, id *string, props *SecretTargetAttachmentProps)
func NewSecret_Override ¶
func NewSecret_Override(s Secret, scope constructs.Construct, id *string, props *SecretProps)
func ResourcePolicy_IsConstruct ¶
func ResourcePolicy_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func ResourcePolicy_IsResource ¶
func ResourcePolicy_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func RotationSchedule_IsConstruct ¶
func RotationSchedule_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func RotationSchedule_IsResource ¶
func RotationSchedule_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func SecretRotation_IsConstruct ¶
func SecretRotation_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func SecretTargetAttachment_IsConstruct ¶
func SecretTargetAttachment_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func SecretTargetAttachment_IsResource ¶
func SecretTargetAttachment_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func Secret_IsConstruct ¶
func Secret_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func Secret_IsResource ¶
func Secret_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
Types ¶
type AttachedSecretOptions ¶
type AttachedSecretOptions struct { // The target to attach the secret to. Target ISecretAttachmentTarget `json:"target" yaml:"target"` }
Options to add a secret attachment to a secret.
TODO: EXAMPLE
type AttachmentTargetType ¶
type AttachmentTargetType string
The type of service or database that's being associated with the secret.
const ( AttachmentTargetType_RDS_DB_INSTANCE AttachmentTargetType = "RDS_DB_INSTANCE" AttachmentTargetType_RDS_DB_CLUSTER AttachmentTargetType = "RDS_DB_CLUSTER" AttachmentTargetType_RDS_DB_PROXY AttachmentTargetType = "RDS_DB_PROXY" AttachmentTargetType_REDSHIFT_CLUSTER AttachmentTargetType = "REDSHIFT_CLUSTER" AttachmentTargetType_DOCDB_DB_INSTANCE AttachmentTargetType = "DOCDB_DB_INSTANCE" AttachmentTargetType_DOCDB_DB_CLUSTER AttachmentTargetType = "DOCDB_DB_CLUSTER" )
type CfnResourcePolicy ¶
type CfnResourcePolicy interface { awscdk.CfnResource awscdk.IInspectable BlockPublicPolicy() interface{} SetBlockPublicPolicy(val interface{}) CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string LogicalId() *string Node() constructs.Node Ref() *string ResourcePolicy() interface{} SetResourcePolicy(val interface{}) SecretId() *string SetSecretId(val *string) Stack() awscdk.Stack UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::SecretsManager::ResourcePolicy`.
Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more information, see [Authentication and access control for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html)
For information about attaching a policy in the console, see [Attach a permissions policy to a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html) .
*Required permissions:* `secretsmanager:PutResourcePolicy` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .
TODO: EXAMPLE
func NewCfnResourcePolicy ¶
func NewCfnResourcePolicy(scope constructs.Construct, id *string, props *CfnResourcePolicyProps) CfnResourcePolicy
Create a new `AWS::SecretsManager::ResourcePolicy`.
type CfnResourcePolicyProps ¶
type CfnResourcePolicyProps struct { // A JSON-formatted string for an AWS resource-based policy. // // For example policies, see [Permissions policy examples](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html) . ResourcePolicy interface{} `json:"resourcePolicy" yaml:"resourcePolicy"` // The ARN or name of the secret to attach the resource-based policy. // // For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. SecretId *string `json:"secretId" yaml:"secretId"` // Specifies whether to block resource-based policies that allow broad access to the secret. // // By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal. BlockPublicPolicy interface{} `json:"blockPublicPolicy" yaml:"blockPublicPolicy"` }
Properties for defining a `CfnResourcePolicy`.
TODO: EXAMPLE
type CfnRotationSchedule ¶
type CfnRotationSchedule interface { awscdk.CfnResource awscdk.IInspectable CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string HostedRotationLambda() interface{} SetHostedRotationLambda(val interface{}) LogicalId() *string Node() constructs.Node Ref() *string RotateImmediatelyOnUpdate() interface{} SetRotateImmediatelyOnUpdate(val interface{}) RotationLambdaArn() *string SetRotationLambdaArn(val *string) RotationRules() interface{} SetRotationRules(val interface{}) SecretId() *string SetSecretId(val *string) Stack() awscdk.Stack UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::SecretsManager::RotationSchedule`.
Configures rotation for a secret. You must already configure the secret with the details of the database or service. If you define both the secret and the database or service in an AWS CloudFormation template, then define the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource to populate the secret with the connection details of the database or service before you attempt to configure rotation.
> When you configure rotation for a secret, AWS CloudFormation automatically rotates the secret one time.
TODO: EXAMPLE
func NewCfnRotationSchedule ¶
func NewCfnRotationSchedule(scope constructs.Construct, id *string, props *CfnRotationScheduleProps) CfnRotationSchedule
Create a new `AWS::SecretsManager::RotationSchedule`.
type CfnRotationScheduleProps ¶
type CfnRotationScheduleProps struct { // The ARN or name of the secret to rotate. // // To reference a secret also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID. SecretId *string `json:"secretId" yaml:"secretId"` // To use these values, you must specify `Transform: AWS::SecretsManager-2020-07-23` at the beginning of the CloudFormation template. // // When you enter valid values for `RotationSchedule.HostedRotationLambda` , Secrets Manager launches a Lambda that performs rotation on the secret specified in the `secret-id` property. The template creates a Lambda as part of a nested stack within the current stack. HostedRotationLambda interface{} `json:"hostedRotationLambda" yaml:"hostedRotationLambda"` // `AWS::SecretsManager::RotationSchedule.RotateImmediatelyOnUpdate`. RotateImmediatelyOnUpdate interface{} `json:"rotateImmediatelyOnUpdate" yaml:"rotateImmediatelyOnUpdate"` // The ARN of the Lambda function that can rotate the secret. // // If you don't specify this parameter, then the secret must already have the ARN of a Lambda function configured. // // To reference a Lambda function also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the function's logical ID. RotationLambdaArn *string `json:"rotationLambdaArn" yaml:"rotationLambdaArn"` // A structure that defines the rotation configuration for this secret. RotationRules interface{} `json:"rotationRules" yaml:"rotationRules"` }
Properties for defining a `CfnRotationSchedule`.
TODO: EXAMPLE
type CfnRotationSchedule_HostedRotationLambdaProperty ¶
type CfnRotationSchedule_HostedRotationLambdaProperty struct { // The type of rotation template to use. For more information, see [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . // // You can specify one of the following `RotationTypes` : // // - MySQLSingleUser // - MySQLMultiUser // - PostgreSQLSingleUser // - PostgreSQLMultiUser // - OracleSingleUser // - OracleMultiUser // - MariaDBSingleUser // - MariaDBMultiUser // - SQLServerSingleUser // - SQLServerMultiUser // - RedshiftSingleUser // - RedshiftMultiUser // - MongoDBSingleUser // - MongoDBMultiUser RotationType *string `json:"rotationType" yaml:"rotationType"` // The ARN of the KMS key that Secrets Manager uses to encrypt the secret. // // If you don't specify this value, then Secrets Manager uses the key `aws/secretsmanager` . If `aws/secretsmanager` doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. KmsKeyArn *string `json:"kmsKeyArn" yaml:"kmsKeyArn"` // The ARN of the secret that contains elevated credentials. // // The Lambda rotation function uses this secret for the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . MasterSecretArn *string `json:"masterSecretArn" yaml:"masterSecretArn"` // The ARN of the KMS key that Secrets Manager uses to encrypt the elevated secret if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . If you don't specify this value and you use the alternating users strategy, then Secrets Manager uses the key `aws/secretsmanager` . If `aws/secretsmanager` doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. MasterSecretKmsKeyArn *string `json:"masterSecretKmsKeyArn" yaml:"masterSecretKmsKeyArn"` // The name of the Lambda rotation function. RotationLambdaName *string `json:"rotationLambdaName" yaml:"rotationLambdaName"` // The ARN of the secret that contains elevated credentials. // // The Lambda rotation function uses this secret for the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . SuperuserSecretArn *string `json:"superuserSecretArn" yaml:"superuserSecretArn"` // The ARN of the KMS key that Secrets Manager uses to encrypt the elevated secret if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . If you don't specify this value and you use the alternating users strategy, then Secrets Manager uses the key `aws/secretsmanager` . If `aws/secretsmanager` doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. SuperuserSecretKmsKeyArn *string `json:"superuserSecretKmsKeyArn" yaml:"superuserSecretKmsKeyArn"` // A comma-separated list of security group IDs applied to the target database. // // The templates applies the same security groups as on the Lambda rotation function that is created as part of this stack. VpcSecurityGroupIds *string `json:"vpcSecurityGroupIds" yaml:"vpcSecurityGroupIds"` // A comma separated list of VPC subnet IDs of the target database network. // // The Lambda rotation function is in the same subnet group. VpcSubnetIds *string `json:"vpcSubnetIds" yaml:"vpcSubnetIds"` }
Specifies that you want to create a hosted Lambda rotation function.
To use these values, you must specify `Transform: AWS::SecretsManager-2020-07-23` at the beginning of the CloudFormation template.
TODO: EXAMPLE
type CfnRotationSchedule_RotationRulesProperty ¶
type CfnRotationSchedule_RotationRulesProperty struct { // The number of days between automatic scheduled rotations of the secret. // // You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated. // // In `DescribeSecret` and `ListSecrets` , this value is calculated from the rotation schedule after every successful rotation. In `RotateSecret` , you can set the rotation schedule in `RotationRules` with `AutomaticallyAfterDays` or `ScheduleExpression` , but not both. AutomaticallyAfterDays *float64 `json:"automaticallyAfterDays" yaml:"automaticallyAfterDays"` // `CfnRotationSchedule.RotationRulesProperty.Duration`. Duration *string `json:"duration" yaml:"duration"` // `CfnRotationSchedule.RotationRulesProperty.ScheduleExpression`. ScheduleExpression *string `json:"scheduleExpression" yaml:"scheduleExpression"` }
A structure that defines the rotation configuration for the secret.
TODO: EXAMPLE
type CfnSecret ¶
type CfnSecret interface { awscdk.CfnResource awscdk.IInspectable CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string Description() *string SetDescription(val *string) GenerateSecretString() interface{} SetGenerateSecretString(val interface{}) KmsKeyId() *string SetKmsKeyId(val *string) LogicalId() *string Name() *string SetName(val *string) Node() constructs.Node Ref() *string ReplicaRegions() interface{} SetReplicaRegions(val interface{}) SecretString() *string SetSecretString(val *string) Stack() awscdk.Stack Tags() awscdk.TagManager UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::SecretsManager::Secret`.
Creates a new secret. A *secret* is a set of credentials, such as a user name and password, that you store in an encrypted form in Secrets Manager. The secret also includes the connection information to access a database or other service, which Secrets Manager doesn't encrypt. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret.
For information about creating a secret in the console, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) .
For information about creating a secret using the CLI or SDK, see [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html) .
To specify the encrypted value for the secret, you must include either the `GenerateSecretString` or the `SecretString` property, but not both. We recommend that you use the `GenerateSecretString` property to generate a random password as shown in the examples. You can't generate a secret with a `SecretBinary` secret value using AWS CloudFormation .
> Do not create a dynamic reference using a backslash `(\)` as the final value. AWS CloudFormation cannot resolve those references, which causes a resource failure.
TODO: EXAMPLE
func NewCfnSecret ¶
func NewCfnSecret(scope constructs.Construct, id *string, props *CfnSecretProps) CfnSecret
Create a new `AWS::SecretsManager::Secret`.
type CfnSecretProps ¶
type CfnSecretProps struct { // The description of the secret. Description *string `json:"description" yaml:"description"` // A structure that specifies how to generate a password to encrypt and store in the secret. // // Either `GenerateSecretString` or `SecretString` must have a value, but not both. They cannot both be empty. // // We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. GenerateSecretString interface{} `json:"generateSecretString" yaml:"generateSecretString"` // The ARN, key ID, or alias of the AWS KMS key that Secrets Manager uses to encrypt the secret value in the secret. // // To use a AWS KMS key in a different account, use the key ARN or the alias ARN. // // If you don't specify this value, then Secrets Manager uses the key `aws/secretsmanager` . If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. // // If the secret is in a different AWS account from the credentials calling the API, then you can't use `aws/secretsmanager` to encrypt the secret, and you must create and use a customer managed AWS KMS key. KmsKeyId *string `json:"kmsKeyId" yaml:"kmsKeyId"` // The name of the new secret. // // The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- // // Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. Name *string `json:"name" yaml:"name"` // A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret. ReplicaRegions interface{} `json:"replicaRegions" yaml:"replicaRegions"` // The text to encrypt and store in the secret. // // We recommend you use a JSON structure of key/value pairs for your secret value. // // Either `GenerateSecretString` or `SecretString` must have a value, but not both. They cannot both be empty. We recommend that you use the `GenerateSecretString` property to generate a random password. SecretString *string `json:"secretString" yaml:"secretString"` // A list of tags to attach to the secret. // // Each tag is a key and value pair of strings in a JSON text string, for example: // // `[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]` // // Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". // // If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) . // // For information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. // // The following restrictions apply to tags: // // - Maximum number of tags per secret: 50 // - Maximum key length: 127 Unicode characters in UTF-8 // - Maximum value length: 255 Unicode characters in UTF-8 // - Tag keys and values are case sensitive. // - Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit. // - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @. Tags *[]*awscdk.CfnTag `json:"tags" yaml:"tags"` }
Properties for defining a `CfnSecret`.
TODO: EXAMPLE
type CfnSecretTargetAttachment ¶
type CfnSecretTargetAttachment interface { awscdk.CfnResource awscdk.IInspectable CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string LogicalId() *string Node() constructs.Node Ref() *string SecretId() *string SetSecretId(val *string) Stack() awscdk.Stack TargetId() *string SetTargetId(val *string) TargetType() *string SetTargetType(val *string) UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::SecretsManager::SecretTargetAttachment`.
The `AWS::SecretsManager::SecretTargetAttachment` resource completes the final link between a Secrets Manager secret and the associated database. This is required because each has a dependency on the other. No matter which one you create first, the other doesn't exist yet. To resolve this, you must create the resources in the following order:
- Define the secret without referencing the service or database. You can't reference the service or database because it doesn't exist yet. The secret must contain a user name and password. - Next, define the service or database. Include the reference to the secret to use stored credentials to define the database admin user and password. - Finally, define a `SecretTargetAttachment` resource type to finish configuring the secret with the required database engine type and the connection details of the service or database. The rotation function requires the details, if you attach one later by defining a [AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html) resource type.
TODO: EXAMPLE
func NewCfnSecretTargetAttachment ¶
func NewCfnSecretTargetAttachment(scope constructs.Construct, id *string, props *CfnSecretTargetAttachmentProps) CfnSecretTargetAttachment
Create a new `AWS::SecretsManager::SecretTargetAttachment`.
type CfnSecretTargetAttachmentProps ¶
type CfnSecretTargetAttachmentProps struct { // The ARN or name of the secret. // // To reference a secret also created in this template, use the see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID. SecretId *string `json:"secretId" yaml:"secretId"` // The ID of the database or cluster. TargetId *string `json:"targetId" yaml:"targetId"` // A string that defines the type of service or database associated with the secret. // // This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following: // // - AWS::RDS::DBInstance // - AWS::RDS::DBCluster // - AWS::Redshift::Cluster // - AWS::DocDB::DBInstance // - AWS::DocDB::DBCluster TargetType *string `json:"targetType" yaml:"targetType"` }
Properties for defining a `CfnSecretTargetAttachment`.
TODO: EXAMPLE
type CfnSecret_GenerateSecretStringProperty ¶
type CfnSecret_GenerateSecretStringProperty struct { // A string of the characters that you don't want in the password. ExcludeCharacters *string `json:"excludeCharacters" yaml:"excludeCharacters"` // Specifies whether to exclude lowercase letters from the password. // // If you don't include this switch, the password can contain lowercase letters. ExcludeLowercase interface{} `json:"excludeLowercase" yaml:"excludeLowercase"` // Specifies whether to exclude numbers from the password. // // If you don't include this switch, the password can contain numbers. ExcludeNumbers interface{} `json:"excludeNumbers" yaml:"excludeNumbers"` // Specifies whether to exclude the following punctuation characters from the password: `! // // " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~` . If you don't include this switch, the password can contain punctuation. ExcludePunctuation interface{} `json:"excludePunctuation" yaml:"excludePunctuation"` // Specifies whether to exclude uppercase letters from the password. // // If you don't include this switch, the password can contain uppercase letters. ExcludeUppercase interface{} `json:"excludeUppercase" yaml:"excludeUppercase"` // The JSON key name for the key/value pair, where the value is the generated password. // // This pair is added to the JSON structure specified by the `SecretStringTemplate` parameter. If you specify this parameter, then you must also specify `SecretStringTemplate` . GenerateStringKey *string `json:"generateStringKey" yaml:"generateStringKey"` // Specifies whether to include the space character. // // If you include this switch, the password can contain space characters. IncludeSpace interface{} `json:"includeSpace" yaml:"includeSpace"` // The length of the password. // // If you don't include this parameter, the default length is 32 characters. PasswordLength *float64 `json:"passwordLength" yaml:"passwordLength"` // Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. // // If you don't include this switch, the password contains at least one of every character type. RequireEachIncludedType interface{} `json:"requireEachIncludedType" yaml:"requireEachIncludedType"` // A template that the generated string must match. SecretStringTemplate *string `json:"secretStringTemplate" yaml:"secretStringTemplate"` }
Generates a random password.
We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
*Required permissions:* `secretsmanager:GetRandomPassword` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .
TODO: EXAMPLE
type CfnSecret_ReplicaRegionProperty ¶
type CfnSecret_ReplicaRegionProperty struct { // `CfnSecret.ReplicaRegionProperty.Region`. Region *string `json:"region" yaml:"region"` // The ARN, key ID, or alias of the KMS key to encrypt the secret. // // If you don't include this field, Secrets Manager uses `aws/secretsmanager` . KmsKeyId *string `json:"kmsKeyId" yaml:"kmsKeyId"` }
A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret.
TODO: EXAMPLE
type HostedRotation ¶
type HostedRotation interface { awsec2.IConnectable Connections() awsec2.Connections Bind(secret ISecret, scope constructs.Construct) *CfnRotationSchedule_HostedRotationLambdaProperty }
A hosted rotation.
TODO: EXAMPLE
func HostedRotation_MariaDbMultiUser ¶
func HostedRotation_MariaDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
MariaDB Multi User.
func HostedRotation_MariaDbSingleUser ¶
func HostedRotation_MariaDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
MariaDB Single User.
func HostedRotation_MongoDbMultiUser ¶
func HostedRotation_MongoDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
MongoDB Multi User.
func HostedRotation_MongoDbSingleUser ¶
func HostedRotation_MongoDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
MongoDB Single User.
func HostedRotation_MysqlMultiUser ¶
func HostedRotation_MysqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
MySQL Multi User.
func HostedRotation_MysqlSingleUser ¶
func HostedRotation_MysqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
MySQL Single User.
func HostedRotation_OracleMultiUser ¶
func HostedRotation_OracleMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
Oracle Multi User.
func HostedRotation_OracleSingleUser ¶
func HostedRotation_OracleSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
Oracle Single User.
func HostedRotation_PostgreSqlMultiUser ¶
func HostedRotation_PostgreSqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
PostgreSQL Multi User.
func HostedRotation_PostgreSqlSingleUser ¶
func HostedRotation_PostgreSqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
PostgreSQL Single User.
func HostedRotation_RedshiftMultiUser ¶
func HostedRotation_RedshiftMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
Redshift Multi User.
func HostedRotation_RedshiftSingleUser ¶
func HostedRotation_RedshiftSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
Redshift Single User.
func HostedRotation_SqlServerMultiUser ¶
func HostedRotation_SqlServerMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
SQL Server Multi User.
func HostedRotation_SqlServerSingleUser ¶
func HostedRotation_SqlServerSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
SQL Server Single User.
type HostedRotationType ¶
Hosted rotation type.
TODO: EXAMPLE
func HostedRotationType_MARIADB_MULTI_USER ¶
func HostedRotationType_MARIADB_MULTI_USER() HostedRotationType
func HostedRotationType_MARIADB_SINGLE_USER ¶
func HostedRotationType_MARIADB_SINGLE_USER() HostedRotationType
func HostedRotationType_MONGODB_MULTI_USER ¶
func HostedRotationType_MONGODB_MULTI_USER() HostedRotationType
func HostedRotationType_MONGODB_SINGLE_USER ¶
func HostedRotationType_MONGODB_SINGLE_USER() HostedRotationType
func HostedRotationType_MYSQL_MULTI_USER ¶
func HostedRotationType_MYSQL_MULTI_USER() HostedRotationType
func HostedRotationType_MYSQL_SINGLE_USER ¶
func HostedRotationType_MYSQL_SINGLE_USER() HostedRotationType
func HostedRotationType_ORACLE_MULTI_USER ¶
func HostedRotationType_ORACLE_MULTI_USER() HostedRotationType
func HostedRotationType_ORACLE_SINGLE_USER ¶
func HostedRotationType_ORACLE_SINGLE_USER() HostedRotationType
func HostedRotationType_POSTGRESQL_MULTI_USER ¶
func HostedRotationType_POSTGRESQL_MULTI_USER() HostedRotationType
func HostedRotationType_POSTGRESQL_SINGLE_USER ¶
func HostedRotationType_POSTGRESQL_SINGLE_USER() HostedRotationType
func HostedRotationType_REDSHIFT_MULTI_USER ¶
func HostedRotationType_REDSHIFT_MULTI_USER() HostedRotationType
func HostedRotationType_REDSHIFT_SINGLE_USER ¶
func HostedRotationType_REDSHIFT_SINGLE_USER() HostedRotationType
func HostedRotationType_SQLSERVER_MULTI_USER ¶
func HostedRotationType_SQLSERVER_MULTI_USER() HostedRotationType
func HostedRotationType_SQLSERVER_SINGLE_USER ¶
func HostedRotationType_SQLSERVER_SINGLE_USER() HostedRotationType
type ISecret ¶
type ISecret interface { awscdk.IResource // Adds a rotation schedule to the secret. AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule // Adds a statement to the IAM resource policy associated with this secret. // // If this secret was created in this stack, a resource policy will be // automatically created upon the first call to `addToResourcePolicy`. If // the secret is imported, then this is a no-op. AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult // Attach a target to this secret. // // Returns: An attached secret Attach(target ISecretAttachmentTarget) ISecret // Denies the `DeleteSecret` action to all principals within the current account. DenyAccountRootDelete() // Grants reading the secret value to some role. GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant // Grants writing and updating the secret value to some role. GrantWrite(grantee awsiam.IGrantable) awsiam.Grant // Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`. SecretValueFromJson(key *string) awscdk.SecretValue // The customer-managed encryption key that is used to encrypt this secret, if any. // // When not specified, the default // KMS key for the account and region is being used. EncryptionKey() awskms.IKey // The ARN of the secret in AWS Secrets Manager. // // Will return the full ARN if available, otherwise a partial arn. // For secrets imported by the deprecated `fromSecretName`, it will return the `secretName`. SecretArn() *string // The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. // // This is equal to `secretArn` in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name). SecretFullArn() *string // The name of the secret. // // For "owned" secrets, this will be the full resource name (secret name + suffix), unless the // '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set. SecretName() *string // Retrieve the value of the stored secret as a `SecretValue`. SecretValue() awscdk.SecretValue }
A secret in AWS Secrets Manager.
func Secret_FromSecretAttributes ¶
func Secret_FromSecretAttributes(scope constructs.Construct, id *string, attrs *SecretAttributes) ISecret
Import an existing secret into the Stack.
func Secret_FromSecretCompleteArn ¶
func Secret_FromSecretCompleteArn(scope constructs.Construct, id *string, secretCompleteArn *string) ISecret
Imports a secret by complete ARN.
The complete ARN is the ARN with the Secrets Manager-supplied suffix.
func Secret_FromSecretNameV2 ¶
Imports a secret by secret name.
A secret with this name must exist in the same account & region. Replaces the deprecated `fromSecretName`.
func Secret_FromSecretPartialArn ¶
func Secret_FromSecretPartialArn(scope constructs.Construct, id *string, secretPartialArn *string) ISecret
Imports a secret by partial ARN.
The partial ARN is the ARN without the Secrets Manager-supplied suffix.
type ISecretAttachmentTarget ¶
type ISecretAttachmentTarget interface { // Renders the target specifications. AsSecretAttachmentTarget() *SecretAttachmentTargetProps }
A secret attachment target.
type ISecretTargetAttachment ¶
type ISecretTargetAttachment interface { ISecret // Same as `secretArn`. SecretTargetAttachmentSecretArn() *string }
func SecretTargetAttachment_FromSecretTargetAttachmentSecretArn ¶
func SecretTargetAttachment_FromSecretTargetAttachmentSecretArn(scope constructs.Construct, id *string, secretTargetAttachmentSecretArn *string) ISecretTargetAttachment
type MultiUserHostedRotationOptions ¶
type MultiUserHostedRotationOptions struct { // A name for the Lambda created to rotate the secret. FunctionName *string `json:"functionName" yaml:"functionName"` // A list of security groups for the Lambda created to rotate the secret. SecurityGroups *[]awsec2.ISecurityGroup `json:"securityGroups" yaml:"securityGroups"` // The VPC where the Lambda rotation function will run. Vpc awsec2.IVpc `json:"vpc" yaml:"vpc"` // The type of subnets in the VPC where the Lambda rotation function will run. VpcSubnets *awsec2.SubnetSelection `json:"vpcSubnets" yaml:"vpcSubnets"` // The master secret for a multi user rotation scheme. MasterSecret ISecret `json:"masterSecret" yaml:"masterSecret"` }
Multi user hosted rotation options.
TODO: EXAMPLE
type ReplicaRegion ¶
type ReplicaRegion struct { // The name of the region. Region *string `json:"region" yaml:"region"` // The customer-managed encryption key to use for encrypting the secret value. EncryptionKey awskms.IKey `json:"encryptionKey" yaml:"encryptionKey"` }
Secret replica region.
TODO: EXAMPLE
type ResourcePolicy ¶
type ResourcePolicy interface { awscdk.Resource Document() awsiam.PolicyDocument Env() *awscdk.ResourceEnvironment Node() constructs.Node PhysicalName() *string Stack() awscdk.Stack ApplyRemovalPolicy(policy awscdk.RemovalPolicy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
Resource Policy for SecretsManager Secrets.
Policies define the operations that are allowed on this resource.
You almost never need to define this construct directly.
All AWS resources that support resource policies have a method called `addToResourcePolicy()`, which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.
Prefer to use `addToResourcePolicy()` instead.
TODO: EXAMPLE
func NewResourcePolicy ¶
func NewResourcePolicy(scope constructs.Construct, id *string, props *ResourcePolicyProps) ResourcePolicy
type ResourcePolicyProps ¶
type ResourcePolicyProps struct { // The secret to attach a resource-based permissions policy. Secret ISecret `json:"secret" yaml:"secret"` }
Construction properties for a ResourcePolicy.
TODO: EXAMPLE
type RotationSchedule ¶
type RotationSchedule interface { awscdk.Resource Env() *awscdk.ResourceEnvironment Node() constructs.Node PhysicalName() *string Stack() awscdk.Stack ApplyRemovalPolicy(policy awscdk.RemovalPolicy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
A rotation schedule.
TODO: EXAMPLE
func NewRotationSchedule ¶
func NewRotationSchedule(scope constructs.Construct, id *string, props *RotationScheduleProps) RotationSchedule
type RotationScheduleOptions ¶
type RotationScheduleOptions struct { // Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation. AutomaticallyAfter awscdk.Duration `json:"automaticallyAfter" yaml:"automaticallyAfter"` // Hosted rotation. HostedRotation HostedRotation `json:"hostedRotation" yaml:"hostedRotation"` // A Lambda function that can rotate the secret. RotationLambda awslambda.IFunction `json:"rotationLambda" yaml:"rotationLambda"` }
Options to add a rotation schedule to a secret.
TODO: EXAMPLE
type RotationScheduleProps ¶
type RotationScheduleProps struct { // Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation. AutomaticallyAfter awscdk.Duration `json:"automaticallyAfter" yaml:"automaticallyAfter"` // Hosted rotation. HostedRotation HostedRotation `json:"hostedRotation" yaml:"hostedRotation"` // A Lambda function that can rotate the secret. RotationLambda awslambda.IFunction `json:"rotationLambda" yaml:"rotationLambda"` // The secret to rotate. // // If hosted rotation is used, this must be a JSON string with the following format: // // “` // { // "engine": <required: database engine>, // "host": <required: instance host name>, // "username": <required: username>, // "password": <required: password>, // "dbname": <optional: database name>, // "port": <optional: if not specified, default port will be used>, // "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords> // } // “` // // This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment` // or an `ISecret` returned by the `attach()` method of `Secret`. Secret ISecret `json:"secret" yaml:"secret"` }
Construction properties for a RotationSchedule.
TODO: EXAMPLE
type Secret ¶
type Secret interface { awscdk.Resource ISecret ArnForPolicies() *string AutoCreatePolicy() *bool EncryptionKey() awskms.IKey Env() *awscdk.ResourceEnvironment Node() constructs.Node PhysicalName() *string SecretArn() *string SecretFullArn() *string SecretName() *string SecretValue() awscdk.SecretValue Stack() awscdk.Stack AddReplicaRegion(region *string, encryptionKey awskms.IKey) AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult ApplyRemovalPolicy(policy awscdk.RemovalPolicy) Attach(target ISecretAttachmentTarget) ISecret DenyAccountRootDelete() GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant GrantWrite(grantee awsiam.IGrantable) awsiam.Grant SecretValueFromJson(jsonField *string) awscdk.SecretValue ToString() *string }
Creates a new secret in AWS SecretsManager.
TODO: EXAMPLE
func NewSecret ¶
func NewSecret(scope constructs.Construct, id *string, props *SecretProps) Secret
type SecretAttachmentTargetProps ¶
type SecretAttachmentTargetProps struct { // The id of the target to attach the secret to. TargetId *string `json:"targetId" yaml:"targetId"` // The type of the target to attach the secret to. TargetType AttachmentTargetType `json:"targetType" yaml:"targetType"` }
Attachment target specifications.
TODO: EXAMPLE
type SecretAttributes ¶
type SecretAttributes struct { // The encryption key that is used to encrypt the secret, unless the default SecretsManager key is used. EncryptionKey awskms.IKey `json:"encryptionKey" yaml:"encryptionKey"` // The complete ARN of the secret in SecretsManager. // // This is the ARN including the Secrets Manager 6-character suffix. // Cannot be used with `secretArn` or `secretPartialArn`. SecretCompleteArn *string `json:"secretCompleteArn" yaml:"secretCompleteArn"` // The partial ARN of the secret in SecretsManager. // // This is the ARN without the Secrets Manager 6-character suffix. // Cannot be used with `secretArn` or `secretCompleteArn`. SecretPartialArn *string `json:"secretPartialArn" yaml:"secretPartialArn"` }
Attributes required to import an existing secret into the Stack.
One ARN format (`secretArn`, `secretCompleteArn`, `secretPartialArn`) must be provided.
TODO: EXAMPLE
type SecretProps ¶
type SecretProps struct { // An optional, human-friendly description of the secret. Description *string `json:"description" yaml:"description"` // The customer-managed encryption key to use for encrypting the secret value. EncryptionKey awskms.IKey `json:"encryptionKey" yaml:"encryptionKey"` // Configuration for how to generate a secret value. // // Only one of `secretString` and `generateSecretString` can be provided. GenerateSecretString *SecretStringGenerator `json:"generateSecretString" yaml:"generateSecretString"` // Policy to apply when the secret is removed from this stack. RemovalPolicy awscdk.RemovalPolicy `json:"removalPolicy" yaml:"removalPolicy"` // A list of regions where to replicate this secret. ReplicaRegions *[]*ReplicaRegion `json:"replicaRegions" yaml:"replicaRegions"` // A name for the secret. // // Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to // 30 days blackout period. During that period, it is not possible to create another secret that shares the same name. SecretName *string `json:"secretName" yaml:"secretName"` // Initial value for the secret. // // **NOTE:** *It is **highly** encouraged to leave this field undefined and allow SecretsManager to create the secret value. // The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, // and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to // another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access // to the CloudFormation template (via the AWS Console, SDKs, or CLI). // // Specifies text data that you want to encrypt and store in this new version of the secret. // May be a simple string value, or a string representation of a JSON structure. // // Only one of `secretString` and `generateSecretString` can be provided. SecretStringBeta1 SecretStringValueBeta1 `json:"secretStringBeta1" yaml:"secretStringBeta1"` }
The properties required to create a new secret in AWS Secrets Manager.
TODO: EXAMPLE
type SecretRotation ¶
type SecretRotation interface { constructs.Construct Node() constructs.Node ToString() *string }
Secret rotation for a service or database.
TODO: EXAMPLE
func NewSecretRotation ¶
func NewSecretRotation(scope constructs.Construct, id *string, props *SecretRotationProps) SecretRotation
type SecretRotationApplication ¶
type SecretRotationApplication interface { IsMultiUser() *bool ApplicationArnForPartition(partition *string) *string SemanticVersionForPartition(partition *string) *string }
A secret rotation serverless application.
TODO: EXAMPLE
func NewSecretRotationApplication ¶
func NewSecretRotationApplication(applicationId *string, semanticVersion *string, options *SecretRotationApplicationOptions) SecretRotationApplication
func SecretRotationApplication_MARIADB_ROTATION_MULTI_USER ¶
func SecretRotationApplication_MARIADB_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_MARIADB_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_MARIADB_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_MONGODB_ROTATION_MULTI_USER ¶
func SecretRotationApplication_MONGODB_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_MONGODB_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_MONGODB_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_MYSQL_ROTATION_MULTI_USER ¶
func SecretRotationApplication_MYSQL_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_MYSQL_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_MYSQL_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_ORACLE_ROTATION_MULTI_USER ¶
func SecretRotationApplication_ORACLE_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_ORACLE_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_ORACLE_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_POSTGRES_ROTATION_MULTI_USER ¶
func SecretRotationApplication_POSTGRES_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_POSTGRES_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_POSTGRES_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_REDSHIFT_ROTATION_MULTI_USER ¶
func SecretRotationApplication_REDSHIFT_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_REDSHIFT_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_REDSHIFT_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_SQLSERVER_ROTATION_MULTI_USER ¶
func SecretRotationApplication_SQLSERVER_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_SQLSERVER_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_SQLSERVER_ROTATION_SINGLE_USER() SecretRotationApplication
type SecretRotationApplicationOptions ¶
type SecretRotationApplicationOptions struct { // Whether the rotation application uses the mutli user scheme. IsMultiUser *bool `json:"isMultiUser" yaml:"isMultiUser"` }
Options for a SecretRotationApplication.
TODO: EXAMPLE
type SecretRotationProps ¶
type SecretRotationProps struct { // The serverless application for the rotation. Application SecretRotationApplication `json:"application" yaml:"application"` // The secret to rotate. It must be a JSON string with the following format:. // // “` // { // "engine": <required: database engine>, // "host": <required: instance host name>, // "username": <required: username>, // "password": <required: password>, // "dbname": <optional: database name>, // "port": <optional: if not specified, default port will be used>, // "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords> // } // “` // // This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment` // or an `ISecret` returned by the `attach()` method of `Secret`. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html // Secret ISecret `json:"secret" yaml:"secret"` // The target service or database. Target awsec2.IConnectable `json:"target" yaml:"target"` // The VPC where the Lambda rotation function will run. Vpc awsec2.IVpc `json:"vpc" yaml:"vpc"` // Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation. AutomaticallyAfter awscdk.Duration `json:"automaticallyAfter" yaml:"automaticallyAfter"` // The VPC interface endpoint to use for the Secrets Manager API. // // If you enable private DNS hostnames for your VPC private endpoint (the default), you don't // need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager // CLI and SDKs use by default (https://secretsmanager.<region>.amazonaws.com) automatically // resolves to your VPC endpoint. Endpoint awsec2.IInterfaceVpcEndpoint `json:"endpoint" yaml:"endpoint"` // Characters which should not appear in the generated password. ExcludeCharacters *string `json:"excludeCharacters" yaml:"excludeCharacters"` // The master secret for a multi user rotation scheme. MasterSecret ISecret `json:"masterSecret" yaml:"masterSecret"` // The security group for the Lambda rotation function. SecurityGroup awsec2.ISecurityGroup `json:"securityGroup" yaml:"securityGroup"` // The type of subnets in the VPC where the Lambda rotation function will run. VpcSubnets *awsec2.SubnetSelection `json:"vpcSubnets" yaml:"vpcSubnets"` }
Construction properties for a SecretRotation.
TODO: EXAMPLE
type SecretStringGenerator ¶
type SecretStringGenerator struct { // A string that includes characters that shouldn't be included in the generated password. // // The string can be a minimum // of “0“ and a maximum of “4096“ characters long. ExcludeCharacters *string `json:"excludeCharacters" yaml:"excludeCharacters"` // Specifies that the generated password shouldn't include lowercase letters. ExcludeLowercase *bool `json:"excludeLowercase" yaml:"excludeLowercase"` // Specifies that the generated password shouldn't include digits. ExcludeNumbers *bool `json:"excludeNumbers" yaml:"excludeNumbers"` // Specifies that the generated password shouldn't include punctuation characters. ExcludePunctuation *bool `json:"excludePunctuation" yaml:"excludePunctuation"` // Specifies that the generated password shouldn't include uppercase letters. ExcludeUppercase *bool `json:"excludeUppercase" yaml:"excludeUppercase"` // The JSON key name that's used to add the generated password to the JSON structure specified by the “secretStringTemplate“ parameter. // // If you specify “generateStringKey“ then “secretStringTemplate“ // must be also be specified. GenerateStringKey *string `json:"generateStringKey" yaml:"generateStringKey"` // Specifies that the generated password can include the space character. IncludeSpace *bool `json:"includeSpace" yaml:"includeSpace"` // The desired length of the generated password. PasswordLength *float64 `json:"passwordLength" yaml:"passwordLength"` // Specifies whether the generated password must include at least one of every allowed character type. RequireEachIncludedType *bool `json:"requireEachIncludedType" yaml:"requireEachIncludedType"` // A properly structured JSON string that the generated password can be added to. // // The “generateStringKey“ is // combined with the generated random string and inserted into the JSON structure that's specified by this parameter. // The merged JSON string is returned as the completed SecretString of the secret. If you specify “secretStringTemplate“ // then “generateStringKey“ must be also be specified. SecretStringTemplate *string `json:"secretStringTemplate" yaml:"secretStringTemplate"` }
Configuration to generate secrets such as passwords automatically.
TODO: EXAMPLE
type SecretStringValueBeta1 ¶ added in v2.4.0
type SecretStringValueBeta1 interface {
SecretValue() *string
}
An experimental class used to specify an initial secret value for a Secret.
The class wraps a simple string (or JSON representation) in order to provide some safety checks and warnings about the dangers of using plaintext strings as initial secret seed values via CDK/CloudFormation.
TODO: EXAMPLE
func SecretStringValueBeta1_FromToken ¶ added in v2.4.0
func SecretStringValueBeta1_FromToken(secretValueFromToken *string) SecretStringValueBeta1
Creates a `SecretValueValueBeta1` from a string value coming from a Token.
The intent is to enable creating secrets from references (e.g., `Ref`, `Fn::GetAtt`) from other resources. This might be the direct output of another Construct, or the output of a Custom Resource. This method throws if it determines the input is an unsafe plaintext string.
For example: ```ts
// Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret. const user = new iam.User(this, 'User'); const accessKey = new iam.AccessKey(this, 'AccessKey', { user }); const secretValue = secretsmanager.SecretStringValueBeta1.fromToken(accessKey.secretAccessKey.toString()); new secretsmanager.Secret(this, 'Secret', { secretStringBeta1: secretValue, });
```
The secret may also be embedded in a string representation of a JSON structure:
const secretValue = secretsmanager.SecretStringValueBeta1.fromToken(JSON.stringify({ username: user.userName, database: 'foo', password: accessKey.secretAccessKey.toString(), }));
Note that the value being a Token does *not* guarantee safety. For example, a Lazy-evaluated string (e.g., `Lazy.string({ produce: () => 'myInsecurePassword' }))`) is a Token, but as the output is ultimately a plaintext string, and so insecure.
func SecretStringValueBeta1_FromUnsafePlaintext ¶ added in v2.4.0
func SecretStringValueBeta1_FromUnsafePlaintext(secretValue *string) SecretStringValueBeta1
Creates a `SecretStringValueBeta1` from a plaintext value.
This approach is inherently unsafe, as the secret value may be visible in your source control repository and will also appear in plaintext in the resulting CloudFormation template, including in the AWS Console or APIs. Usage of this method is discouraged, especially for production workloads.
type SecretTargetAttachment ¶
type SecretTargetAttachment interface { awscdk.Resource ISecret ISecretTargetAttachment ArnForPolicies() *string AutoCreatePolicy() *bool EncryptionKey() awskms.IKey Env() *awscdk.ResourceEnvironment Node() constructs.Node PhysicalName() *string SecretArn() *string SecretFullArn() *string SecretName() *string SecretTargetAttachmentSecretArn() *string SecretValue() awscdk.SecretValue Stack() awscdk.Stack AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult ApplyRemovalPolicy(policy awscdk.RemovalPolicy) Attach(target ISecretAttachmentTarget) ISecret DenyAccountRootDelete() GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant GrantWrite(grantee awsiam.IGrantable) awsiam.Grant SecretValueFromJson(jsonField *string) awscdk.SecretValue ToString() *string }
An attached secret.
TODO: EXAMPLE
func NewSecretTargetAttachment ¶
func NewSecretTargetAttachment(scope constructs.Construct, id *string, props *SecretTargetAttachmentProps) SecretTargetAttachment
type SecretTargetAttachmentProps ¶
type SecretTargetAttachmentProps struct { // The target to attach the secret to. Target ISecretAttachmentTarget `json:"target" yaml:"target"` // The secret to attach to the target. Secret ISecret `json:"secret" yaml:"secret"` }
Construction properties for an AttachedSecret.
TODO: EXAMPLE
type SingleUserHostedRotationOptions ¶
type SingleUserHostedRotationOptions struct { // A name for the Lambda created to rotate the secret. FunctionName *string `json:"functionName" yaml:"functionName"` // A list of security groups for the Lambda created to rotate the secret. SecurityGroups *[]awsec2.ISecurityGroup `json:"securityGroups" yaml:"securityGroups"` // The VPC where the Lambda rotation function will run. Vpc awsec2.IVpc `json:"vpc" yaml:"vpc"` // The type of subnets in the VPC where the Lambda rotation function will run. VpcSubnets *awsec2.SubnetSelection `json:"vpcSubnets" yaml:"vpcSubnets"` }
Single user hosted rotation options.
TODO: EXAMPLE